Header Shadow Image


OpenWRT: Microsoft Azure to Cloudera CDH via VPN Gateway

Pages: 1 2 3 4 5 6 7

Configuring StrongSwan on Asus Merlin Firmware (not working)

Unfortunately, I didn't have luck with DD-WRT but I certainly thought I would have luck with the Asus Merlin software.  The final configuration I tried with Asus Merlin is shown below.  Unfortunately, I never ended up establishing a successful connection to my Azure account after quite some time of trial and error.  This is due to the same issue as above however much fewer modules existed on the Asus Merlin firmware vs DD-WRT or OpenWRT unfortunately.  This is NOT to say another IPSec Asus Merlin implementation won't work in other situations.  YMMV.

The solution assumes the topology shown above. 100.100.100.100 represents the Azure VPN Gateway IP. :123.123.123.123 represents the on-prem gateway IP.

StrongSwan ipsec configuration.

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat ipsec.conf
# ipsec.conf – strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.
conn %default
        # dpdaction=none
        dpdaction=clear
        keyexchange=ikev2
        forceencaps=yes
        fragmentation=yes

        keylife=3600s
        ikelifetime=28800s
        rekey=yes
        rekeymargin=3m
        keyingtries=1
        mobike=no
        lifebytes=102400000

        type=tunnel
        auto=start
        authby=secret

        ike=aes256-sha1-modp1024
        esp=aes256-sha1


conn remote-to-asus
        left=192.168.0.6
        leftid=123.123.123.123
        right=192.168.0.16


conn asus-to-remote
        left=192.168.0.16
        leftid=100.100.100.100
        right=192.168.0.6
        rightid=192.168.0.16


conn azure-s2s

        # ———-
        # LEFT
        # ———-
        # left=123.123.123.123                 # IP address of your on-premises gateway
        left=192.168.0.16                  # IP address of your on-premises gateway

        leftsubnet=192.168.0.0/24,10.0.0.0/24,10.1.0.0/24,10.2.0.0/24,10.3.0.0/24       # Home LAB – Local
        leftfirewall=yes
        # leftsubnet=0.0.0.0/0

        # ———-
        # RIGHT
        # ———-
        right=100.100.100.100                   # Remote VPN gateway IP address
        # right=%any
        # rightid=%any
        rightsubnet=10.10.0.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24    # Remote network subnet defined in public cloud
        # rightsubnet=0.0.0.0/0
        rightfirewall=yes

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#

StrongSwan configuration file in strongswan.conf :

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat strongswan.conf
# strongswan.conf – strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /var/log/charon.log
                        time_format = %b %e %T
                        append = no
                        default = 0 # in case troubleshoot is required switch this to 2
                }
                stderr {
                        ike = 1 # in case troubleshoot is required switch this to 2
                        knl = 1 # in case troubleshoot is required switch this to 3
                        ike_name = yes
                }
        }
        syslog {
                # enable logging to LOG_DAEMON, use defaults
                daemon {
                }
                # minimalistic IKE auditing logging to LOG_AUTHPRIV
                auth {
                        default = 1 # in case troubleshoot is required switch this to 2
                        ike = 1 # in case troubleshoot is required switch this to 2
                }
        }
}
include strongswan.d/*.conf
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#

 

The final partial connection status: 

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# ipsec restart; sleep 2; ipsec statusall
Stopping strongSwan IPsec…
Starting strongSwan 5.9.0 IPsec [starter]…
Status of IKE charon daemon (strongSwan 5.9.0, Linux 2.6.36.4brcmarm, armv7l):
  uptime: 2 seconds, since Oct 24 00:04:31 2020
  malloc: sbrk 815104, mmap 0, used 380552, free 434552
  worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 18
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  192.168.0.16
  10.1.1.1
Connections:
remote-to-asus:  192.168.0.16…192.168.0.6  IKEv2, dpddelay=30s
remote-to-asus:   local:  [192.168.0.16] uses pre-shared key authentication
remote-to-asus:   remote: [123.123.123.123] uses pre-shared key authentication
remote-to-asus:   child:  dynamic === dynamic TUNNEL, dpdaction=clear
asus-to-remote:  192.168.0.16…192.168.0.6  IKEv2, dpddelay=30s
asus-to-remote:   local:  [100.100.100.100] uses pre-shared key authentication
asus-to-remote:   remote: [192.168.0.16] uses pre-shared key authentication
asus-to-remote:   child:  dynamic === dynamic TUNNEL, dpdaction=clear
   azure-s2s:  192.168.0.16…100.100.100.100  IKEv2, dpddelay=30s
   azure-s2s:   local:  [192.168.0.16] uses pre-shared key authentication
   azure-s2s:   remote: [100.100.100.100] uses pre-shared key authentication
   azure-s2s:   child:  192.168.0.0/24 10.0.0.0/24 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24 === 10.10.0.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
asus-to-remote[4]: ESTABLISHED 2 seconds ago, 192.168.0.16[100.100.100.100]…192.168.0.6[192.168.0.16]
asus-to-remote[4]: IKEv2 SPIs: c8279d8c3663f863_i 35c4da0512fcbaeb_r*, pre-shared key reauthentication in 7 hours
asus-to-remote[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   azure-s2s[3]: ESTABLISHED 2 seconds ago, 192.168.0.16[192.168.0.16]…100.100.100.100[100.100.100.100]
   azure-s2s[3]: IKEv2 SPIs: c8279d8c3663f863_i* 35c4da0512fcbaeb_r, pre-shared key reauthentication in 7 hours
   azure-s2s[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# ipsec status
Security Associations (2 up, 0 connecting):
asus-to-remote[4]: ESTABLISHED 6 seconds ago, 192.168.0.16[100.100.100.100]…192.168.0.6[192.168.0.16]
   azure-s2s[3]: ESTABLISHED 6 seconds ago, 192.168.0.16[192.168.0.16]…100.100.100.100[100.100.100.100]
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#

Shared secret file:

admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat ipsec.secrets
# /etc/ipsec.secrets – strongSwan IPsec secrets file
123.123.123.123 100.100.100.100 : PSK "ym9mK2Mpr6nEVGZG"
192.168.0.6 192.168.0.16 : PSK "ym9mK2Mpr6nEVGZG"
192.168.0.16 192.168.0.6 : PSK "ym9mK2Mpr6nEVGZG"
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#

The setup was not without issues.  Here are some of the most common messages I encountered and how I solved them.  The key to configuring IPSEC / StrongSwan was in understanding the various messages in the log, what they mean and what was expected.  The pieces came together once I fully understood the second message.

Pages: 1 2 3 4 5 6 7


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License